Force DNS regardless of device dns?

Hi all,

WRT1200ac running OpenWrt 18.06.1
We run a Wireguard VPN (wireguard.com) however suffer from individual device DNS leaks as some users have google dns or 1.1.1.1 etc.

I'm wanting to have ALL devices to run the vpn's dns servers regardless if custom dns is selected on say an iphone.

Is this possible to bypass device dns and direct the dns requests through the tunnel?
How could I do this?

Thank you

Possible if you use the firewall to force all outgoing packages going into port 53 to get hijacked into the local resolver (your router) and that forwards the query into the tunnel, so that no device can directly send DNS queries outside.

The adblock package contains option for that functionality.

Or you can craft the necessary iptables rules by yourself.

1 Like

Sure, you can use the DNAT or REDIRECT target of iptables to force DNS requests to your router.

Here's an UCI example (provided you've defined your VPN subnets in a 'vpn' zone:

config redirect
	option name 'Redirect-DNS-from-VPN-zone'
	option src 'vpn'
	option dest '!lan'
	option src_dport '53'
	option dest_port '53'
	option target 'DNAT'

Here's how to redirect all incoming DNS requests to the router regardless of zone with iptables:

iptables -t nat -A prerouting_rule -p udp --dport 53 -j REDIRECT
iptables -t nat -A prerouting_rule -p tcp --dport 53 -j REDIRECT
2 Likes

Thank you for your reply,

"Provided you've defined your VPN subnets in a 'vpn' zone"
Could you explain this?

This is the guide followed to set up the vpn:

Its a little different to the usual openvpn guide

You have two pre-defined zones called 'lan' and 'wan'. Similarly you could define your wireguard interfaces as the 'vpn' zone which you can then use to firewall VPN traffic.

Read more here: https://oldwiki.archive.openwrt.org/doc/uci/firewall#zones

My advice is to stop blindly following step by step guides and instead try to learn the different involved components. That way you can implement your needs and actually be able to troubleshoot if there's a problem.

:wink: